Skip to content

Ensure 'secure_file_priv' Is Not Empty

Description

The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file.

It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL.

Rationale

Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { getServerSetting, isEmpty } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the database instance has a path configured in secure_file_priv option that's not empty
 */
function validate(databaseSettings) {
    const settingName = "secure_file_priv"
    const currentValue = getServerSetting(databaseSettings, settingName)
    const success = !isEmpty(currentValue)

    return {
        success,
    }
}

// invoke
validate(databaseSettings);